A steady increase in the number of vulnerabilities each year has put a fresh focus on the discipline of vulnerability management. Although the Verizon 2016 Breach Investigations Report found that the top 10 vulnerabilities made up 85% of the successful exploit traffic, the remaining 15% were attributed to over 900 CVEs. This shows that we can effectively address a large number of exploits through focus on the top vulnerabilities, but the other 15% is a little more difficult. As much as we talk about and focus on the topic of zero-day attacks, the truth is that these types of undisclosed vulnerabilities and subsequent exploits make up only a small percentage of the vulnerabilities being exploited today. We are starting to see this realization reflected in enterprise security spending. In the recent Forbes Insights security survey, 60% of the 300 C-Level respondents said that “expanded vulnerability discovery and remediation” was a primary initiative in 2016. In contrast, only 30% of the respondents made putting more resources into defending against zero-day exploits a primary initiative. This is a logical response given that the vast majority of exploits are still targeting known vulnerabilities that can either be easily patched or at least easily fixed through basic coding best practices. Let’s get back to the basics and take a look at some best practices that contribute to effectively addressing the most relevant vulnerabilities and subsequently reducing our overall attack surface.
Vulnerability Scan Data Needs to be Consumable and Actionable
Sending a laundry list of vulnerabilities back and forth in the form of a spreadsheet does not bode well for anyone’s vulnerability management strategy. Yes, it is still done (often), but clearly not a best practice. This makes understanding new scan data, assessing risk, and working with operations teams to remediate those vulnerabilities close to impossible. Scanning needs to be regular and the output needs to be easily consumed by both security and operations teams. Details such as vulnerability severity, age, etc. are absolutely mandatory. If vulnerability data is easily consumable and easier to communicate, it enables security and operations teams the ability to work more closely together to find and remediate the highest priority issues. In addition, vulnerability information also needs to be actionable. Looking for ways to integrate vulnerability data with remediation can greatly help in producing a standard and repeatable process for speeding up the time between identifying a high severity vulnerability and effectively remediating it.
The importance of Context
In any emergency, context is king in terms of understanding the problem. If we receive a call that there has been a fire, what are the first questions that come to mind? ‘Where’s the fire?’ ‘How large is it and has it been contained?’ ‘Is anyone in danger?’ ‘Has anyone been hurt?’ We ask ourselves a similar line of questions when we look at a security risk including vulnerabilities and we need answers. In addition to understanding the number of vulnerabilities, their age, and severity levels, we need more information in order to make better decisions. A good example of this would be – ‘Which assets are affected and where are they on my network?’ This is critical to understanding what type of data might be exposed as a result of the vulnerability. ‘Is there a patch available?’ ‘When can I deploy it?’ If there isn’t a patch available, mitigating the risk through the real-time protection offered by a firewall or intrusion prevention system can provide a stop gap.
Keeping Pace with Vulnerabilities Into the Future
As vulnerabilities continue to increase and attackers look for low hanging fruit, having a sound vulnerability management strategy that includes context is critical. We can mitigate a great deal of risk by focusing on the vulnerabilities that are being the most actively exploited, however addressing the remainder requires building context around these issues to better understand the actual risk. As we build this context, our overall level of ‘vulnerability Intelligence’ goes up, allowing us to make better security decisions. Making the right decision, at the right time, may be the difference between a line item in a spreadsheet and a significant security incident in the future. Some best practices to keep in mind as you head into 2017 include:
- Scan early and often – Vulnerability scanning should be done as early as possible in the Software Development LifeCycle (SDLC) to increase security and reduce remediation costs.
- Ensure vulnerability data is consumable and actionable – If you and other teams in your organization cannot easily understand the output of your scanning, It will be next to impossible to take action.
- Build context around your results – Work to ensure that any vulnerability results are linked to contextual information that can help you make better decisions, i.e. types of assets, data repositories, critical applications, etc..
- Work to Increase your “vulnerability Intelligence” – Continue to evolve your vulnerability management approach to improve your time from vulnerability discovery to remediation.